Beware Social Engineering at the CU

As James Cagney would say, “You dirty, double-crossing rat.” That’s the sentiment credit unions and small banks feel after falling for “social engineering” tactics.

Social engineers pretend to be someone they’re not in hopes that you’ll fall for their ploy and click on a link or attachment they send you that will surreptitiously download malware.

Here’s an example of how social engineering works: Someone sends to one person or many people at your credit union an email posing as a prospective member. The email might say, “Our company is thinking about opening a business account with your credit union. Please review our attached financial data and let me know which type of account would work best for us.”

Once receivers click on the document, they inadvertently download malware onto their computer.

Social engineers often use social networking to successfully deploy attacks because it’s often easier to get into your network that way than it is to discover ways to hack your software.

Here’s an example of how easy it is for a cyber thief to attack you through social networking. The hacker, Mr. Badman, targets ABC Credit Union. He goes to LinkedIn to see who all is affiliated with the organization. There, he sees that Bob Beaty Brown is the chief financial officer and that Elizabeth Ann White is executive administrative assistant. Then, Badman hunts for the names Elizabeth Ann White and Bob Beaty Brown on Facebook.

Lo and behold, not only are they both there, Brown’s profile is marked “public,” so anyone can see his page. There it shows he works for ABC Credit Union, and he just so happens to have recently posted photos of him and his wife, Cathy, from their recent trip to the Bahamas. Badman calls up ABC and asks for Elizabeth’s email. He then sends her an email saying, “Hi Elizabeth. I had dinner in the Bahamas with Bob and his wife, Cathy. He asked that I email you the attached receipt.” Elizabeth then clicks on the attachment and unwittingly downloads malware onto her computer.

Social networking sites can be a great way to promote your credit union, but they could also wreak havoc if you’re not careful with what information you share.

Train your employees to use social networking sites securely. Be wary of friend requests from people you don’t know just because they are “friends” of your friends. Keep your Facebook account on private settings.

Be wary of clicking on any links without hovering over them to see where they actually lead. For example, they might click on a link that says cutimes.com, but the link might really be set to another domain. In this case, I have set that link to take you to Secureworks.com, but a hacker could set that link to some other domain that would download malware once you click on the link. Don’t click on any shortened links, such as bit.ly/1aY2bGy,because when you hover over the shortened links with your mouse, you still can’t see the actual domain the link takes you to.

It would be nice to be able to trust everyone, but when you don’t “trust but verify,” you often end up communicating with a rat. And that stinks.